Category Archives: Microsoft Azure

Azure Management services: What's new in May 2020

To stay constantly updated on news regarding Azure management services, our community releases this monthly summary, allowing you to have an overview of the main new features of the month. In this article you will find the news, presented in a synthetic way and accompanied with the necessary references to be able to conduct further studies.

The following diagram shows the different areas related to management, which are covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

New version of the agent for Linux systems

A new version of the Log Analytics agent has been released this month for Linux systems. The main innovations introduced are:

  • Stability and reliability improvements.
  • Improved support for Azure Arc for Server.
  • FIPS Compliance.
  • RHEL support 8.

SHA-2 signing for the Log Analytics agent

The Log Analytics agent for Windows will start enforcing SHA-2 signings from 17 August 2020, postponing the date previously set to 18 may 2020. This change requires action if you are running the agent on a legacy version of the operating system (Windows 7, Windows Server 2008 R2, or Windows Server 2008) . Customers who are in this condition should apply the latest updates and patches on these operating systems before 17 August 2020, otherwise their agents will stop sending data to Log Analytics workspaces. The following Azure services will be affected by this change: Azure Monitor, Azure Automation, Azure Update Management, Azure Change Tracking, Azure Security Center, Azure Sentinel, Windows Defender ATP.

Feature extensions of Azure Monitor

The following enhancements have been made in Azure Monitor that expand its functionality and make it an increasingly complete solution:

  • Azure Monitor availability for Azure Storage and Azure Monitor for Azure Cosmos DB.
  • Azure Monitor preview for Azure Key Vault and Azure Monitor for Redis Cache.
  • Preview of Azure Monitor Application Insights in Azure Monitor Logs workspaces.
  • Capacity reservation and CMK encryption with Azure Monitor Logs clusters dedicated to large-scale deployments.

Azure Private Link Availability for Azure Monitor
The Azure Private Link feature is now also available for Azure Monitor and allows you to have the following features:

  • Private connectivity to Azure Monitor Logs workspaces and to Azure Application Insights.
  • Exfiltration data protection with granular access to specific resources.
  • Protecting resources from access from the public network.

At the moment you need to make a request explicitly to access these features.

Improve the experience when deleting and restoring Azure Monitor Logs workspaces

Microsoft has added soft-delete workspace functionality to make it easier to recover if necessary. In fact, in the event of a cancellation, the workspace will go into a soft-delete state to allow it to be restored if necessary, including data and connected agents, within 14 days. This behavior can be circumvented and permanently deleted the workspace. To avoid the incorrect elimination of the workspaces from the Azure portal, a specific section has been added where you can consult how many solutions are installed and the relative daily data volume received in the last 7 days by data type.
Restoring the workspace, can now take place directly from the Azure portal.

Azure Advisor recommendation digests

Azure Advisor introduces the ability to receive a periodic summary of the available best practice recommendations developed by the solution. Advisor Digest Recommendations keep you up-to-date on Azure optimization opportunities outside the Azure portal. Notifications are customizable and handled through Azure Monitor Action Group.

Azure Service Health also includes emerging issues

Azure Service Health now also reports emerging issues in the Azure portal. An emerging problem is a situation in which Azure is aware of a widespread outage but may not yet be fully aware of the extent and amplitude. Previously, emerging problems were only available in the Azure Status page.

Configure

Azure Automation

TLS 1.2 Enforcement

Starting from September 1st 2020, Azure Automation will impose the presence of Transport Layer Security (TLS) version 1.2 or later, for all external HTTPS endpoints.

Secure

Azure Security Center

Changes to the just-in-time service (JIT) virtual machine (VM) Access

In the just-in-time service (JIT) virtual machine (VM) access have been made the following changes:

  • The recommendation advising to enable JIT on a VM has been renamed by “Just-in-time network access control should be applied on virtual machines” in “Management ports of virtual machines should be protected with just-in-time network access control”.
  • The recommendation is now activated only if open management ports are detected.

Custom recommendations placed in a separate panel

All the custom recommendations created for your subscriptions are now positioned in the dedicated section “Custom recommendations”.

Account security recommendations moved to the section “Security best practices”

The following recommendations have been included in the section “Security best practices” and therefore do not impact on the secure score:

  • MFA should be enabled on accounts with read permissions on your subscription (originally in the “Enable MFA” control)
  • External accounts with read permissions should be removed from your subscription (originally in the “Manage access and permissions” control)
  • A maximum of 3 owners should be designated for your subscription (originally in the “Manage access and permissions” control)

Microsoft has decided to apply this change as it has determined that the risk of these three recommendations is lower than initially thought.

Protect

Azure Backup

SAP HANA backup for Red Hat Enterprise Linux VM

Azure Backup includes protecting SAP HANA databases on Red Hat Enterprise Linux virtual machines (RHEL). This feature allows to have in an integrated way and without having to provide a specific backup infrastructure, the protection of SAP HANA databases on RHEL, one of the most commonly used operating systems in these scenarios.

Protect against accidental deletion of Azure file shares

To provide greater protection against cyberattacks and accidental deletion, Azure Backup has added an extra layer of security to the Azure file shares snapshot management solution. If you delete File Shares, content and its recovery points (Snapshots) are retained for a configurable period of time, enabling full recovery without data loss. When you configure protection for a file share, Azure Backup enables soft-delete functionality at the account storage level with a retention period of 14 days, which is configurable according to your needs. This setting determines the time window in which you can restore the contents and snapshots of your file shares after any accidental deletion operations. Once the share file is restored, backups resume working without the need for additional configurations.

Azure Site Recovery

Zone-to-zone disaster recovery available in new regions

Zone-to-Zone DR is now also available in the Southeast Asia and UK South regions. With this Azure Site Recovery feature, called zone-to-zone DR, there's an opportunity to create disaster recovery plans (DR) for virtual machines (VM), replicating them between different Azure Availability Zones. If a single Azure Availability Zone is compromised, you will be able to fail over virtual machines to a different zone within the same region and access them from the Secondary Availability Zone.

Introduced support for proximity groups

Azure Site Recovery has introduced support for proximity placement groups (PPGs). Thanks to this feature, any virtual machine (VM) hosted within a PPG can be secured using Azure Site Recovery. By enabling replication of that VM, you can provide a PPG in the secondary region as an additional parameter. When a failover process is activated, Site Recovery will place the VM in the user-supplied target PPG.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (May 2020 – Weeks: 19 and 20)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

New Azure VMware Solution in preview

Azure VMware Solution empowers customers to seamlessly extend or migrate their existing on-premises VMware applications to Azure without the cost, effort or risk of re-architecting applications or retooling operations. Preview of the new solution is initially available in US East and West Europe Azure regions. The new Azure VMware Solution is expected to be generally available in the second half of 2020 and at that time, availability will be extended across more regions.

The new Azure VMware Solution is:

  • First Party Microsoft Azure service, endorsed by VMware. The new release of Azure VMware Solution is built on Microsoft Azure without the use of a third-party technology. The solution is also cloud verified by VMware and leverages components of the VMware Cloud Foundation framework including vSphere, vCenter, NSX-T, vSAN and HCX.
  • Seamless integrated Azure experience. In the new solution Microsoft has rearchitected the Software Defined Datacenter (SDDC) layer that underpins the Private Cloud, ensuring a truly seamless Azure experience for customers.
  • VMware HCX Enterprise now available. The new Azure VMware Solution includes HCX Enterprise edition as an option. With additional features from HCX Enterprise, customers can further simplify their migration efforts to Azure including support for bulk live migrations.
  • Leverage pricing benefits for Microsoft workloads. Azure VMware Solutions supports the Azure Hybrid Benefit and Azure VMware Solution customers are also eligible for three years of free Extended Security Updates on 2008 versions of Windows Server and SQL Server.

New cloud regions in Italy, New Zealand and Poland

Microsoft announced plans for new cloud datacenter regions in three countries: Italy, New Zealand and Poland. In Italy, Microsoft is building a new datacenter region in Milan, which will provide access to Azure, Microsoft 365/Office 365 and Dynamics 365 and the Power Platform set of tools.

Virtual machine (VM)-level disk bursting

Virtual machine-level disk bursting is a new feature that allows your virtual machine to burst its disk IO and MiB/s throughput performance for a short time daily to handle unforeseen spikey disk traffic smoothly and process batched jobs with speed. The feature is now enabled on all Azure Lsv2-series virtual machines, with support for more virtual machine types and families to come soon. This feature doesn’t cost anything extra and comes enabled by default.

General availability of Azure Spot Virtual Machines

Azure Spot VMs provide access to unused Azure compute capacity at deep discounts. Spot pricing is available on single VMs in addition to VM scale sets (VMSS). This enables you to deploy a broader variety of workloads on Azure while enjoying access to discounted pricing compared to pay-as-you-go rates. Spot VMs offer the same characteristics as a pay-as-you-go virtual machine, the differences being pricing and evictions. Spot VMs can be evicted at any time if Azure needs capacity.

Storage

Azure Blob versioning public preview

Applications and users create, update, and delete data in Azure Blob storage continuously. A common requirement is the ability to manage and access both current and historical versions of the data. As the next step to enhance data management and protection, the Blob storage versioning preview is available. Azure Blob Versioning automatically maintains previous versions of an object and identifies them with version IDs. You can list both the current blob and previous versions using version ID timestamps. You can also access and restore previous versions as the most recent version of your data if it was erroneously modified or deleted by an application or other users.

Blob Index for Azure Storage in preview

Blob Index, a managed secondary index, allowing you to store multi-dimensional object attributes to describe your data objects for Azure Blob storage. It is now available in preview. Built on top of blob storage, Blob Index offers consistent reliability, availability, and performance for all your workloads. Blob Index provides native object management and filtering capabilities, which allows you to categorize and find data based on attribute tags set on the data.

General availability of geo-zone-redundant storage (GZRS)

GZRS helps achieve higher data resiliency by:

  • Synchronously writing three replicas of your data across multiple availability zones (like ZRS today) protecting from cluster, datacenter or entire zone failure.
  • Asynchronously replicating the data to another region within the same geo into a single zone (like LRS today) protecting from a regional outage.

When using GZRS, you can continue to read and write the data even if one of the availability zones in the primary region is unavailable. In the event of a regional failure you can also use read-access geo-zone-redundant storage (RA-GZRS) to continue having read access to your data or execute account failover to also restore write accessibility. GZRS provides a great balance of high performance, high availability and disaster recovery and is beneficial when building highly available applications/services in Azure.

Azure File Sync is removing support for TLS 1.0 and 1.1

Azure File Sync service will remove support for TLS 1.0 and 1.1 in August 2020.

Networking

Azure Virtual Network NAT in Azure Government and Azure China

Azure Virtual Network NAT (network address translation) is now generally available in the Azure Government and Azure China regions. NAT simplifies outbound-only internet connectivity for virtual networks and can be configured for one or more subnets of a virtual network.

Azure Firewall Updates

Two new key features in Azure Firewall are generally available:

Additionally, Microsoft is increasing the limit for multiple public IP addresses from 100 to 250 for both DNAT and SNAT.

Rules Engine for Azure Front Door Service is now in preview

Rules Engine on Azure Front Door Service brings your specific routing needs to the forefront of its application delivery experience, giving you more control over how you define and enforce what content gets served from where. Rules Engine empowers you to modify request and response headers, or dynamically override your existing route behavior based on incoming requests.

Private Link is now available on Event Grid

Azure Event Grid now has Private Link integration for custom topics and event domains, generally available in all Azure regions, allowing virtual network resources within their production workloads to communicate directly to their Event Grid topics without accessing the public internet. This enables enterprise workloads to take advantage of event-driven architectures securely for mission-critical workloads that require network isolation.

Azure Stack

Azure Stack Hub

Azure App Service and Azure Functions on Azure Stack Hub update available

A major update to Azure App Service on Azure Stack Hub is now available. The update build number is 87.0.2.10. All fixes and updates are detailed in the release notes.

This release updates the resource provider and brings new key capabilities and fixes:

  • Updates to App Service Tenant, Admin, Azure Functions portals, and Kudu tools.
  • Updates Azure Functions runtime to v1.0.13021.
  • Updates to core service to improve reliability and error messaging will enable easier diagnosis of common issues.
  • Updates to the application frameworks and tools including .NET Framework, ASP.NET Core, PHP, NodeJS, and NPM.
  • Windows Server updates to underlying operating system of all roles.
  • Cumulative updates for Windows Server are now applied to controller roles as part of deployment and upgrade.
  • Updated default virtual machine and scale set SKUs for new deployments.

Azure IaaS and Azure Stack: announcements and updates (May 2020 – Weeks: 17 and 18)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Maintenance control for platform updates

The maintenance control feature for Azure Virtual Machines platform updates is now generally available for Azure Dedicated Hosts and isolated virtual machines (VMs). This feature gives you more control over platform maintenance when dealing with highly sensitive workloads. Use this feature to control all host updates, including rebootless updates, within a 35-day window. The ability to control the maintenance window is particularly useful when you deploy workloads that are extremely sensitive to interruptions running on an Azure Dedicated Host or an isolated VM where the underlying physical server runs a single customer’s workload. This feature is not supported for VMs deployed in hosts shared with other customers.

New DCsv2-series virtual machines are available

You can develop confidential applications that protect data while it’s being processed in the CPU with new DCsv2-series virtual machines (VMs), powered by Intel SGX. Traditionally, applications are protected while at rest and in transit. Now, you can deliver applications that protect data while in use. This enables a new set of scenarios like multiparty sharing, where it’s possible to combine data from multiple companies to run machine learning models without the companies getting access to each other’s data.

Windows Server containers in AKS now generally available

Windows Server containers in Azure Kubernetes Service (AKS) are now generally available. You can take advantage of this new feature to run Linux and Windows workloads side-by-side in a single cluster using the same tools. Create/upgrade/scale Windows node pools in AKS through the standard tools (portal/CLI) and Azure will help manage the health of the cluster.

Azure Migrate now available in Azure Government

Microsoft’s service for datacenter migration, Azure Migrate, is now available in Azure Government, unlocking the whole range of functionality for government customers. Azure Migrate V2 for Azure Government includes a one-stop shop for discovery, assessment, and migration of largescale datacenters.

Storage

Enhanced features in Azure Archive Storage

Three new feature enhancements for Azure Block Blob storage and Azure Archive storage are now generally available, making the service faster, simpler, and more capable.

  • Priority retrieval from Azure Archive. High rehydrate-priority fulfills the need for emergency data rehydrate from archive, with retrievals for blobs of a few GB typically taking less than one hour.
  • Upload blob direct to access tier of your choice. The PutBlob or PutBlockList API allows you to upload your blob data directly to any access tier (hot, cool, or archive). This enables customers to write cold data directly to Azure Archive, realizing their cost savings immediately.
  • CopyBlob enhanced capabilities. The CopyBlob API supports the archive access tier, allowing you to copy data into and out of the archive access tier within the same storage account. It also includes support for the other two new features—priority retrieval and direct to access tier of your choice.

Networking

Azure Firewall: support for Windows Virtual Desktop

You can use Azure Firewall to protect Window Virtual Desktop deployments. In addition there are FQDN tags for Windows Virtual Desktop (WVD).

Azure Private Link for AKS is generally available

Azure Kubernetes Service (AKS) Private Link is generally available. You can use it to isolate your Kubernetes API server within your Azure virtual network, enabling fully private communication with the managed Kubernetes control plane hosted by AKS.

Azure Management services: What's New in April 2020

Starting from this month, the series of articles released by our community about what's new in Azure management services is renewed. They will be articles, published on a monthly basis, dedicated exclusively to these topics to have a greater level of depth.

Management refers to the tasks and processes required to better maintain business applications and the resources that support them. Azure offers many strongly related services and tools to provide a comprehensive management experience. These services are not exclusively for Azure resources, but they can potentially also be used for on-premises environments or other public clouds.

The following diagram shows the different areas related to management, which will be covered in this series of articles, in order to stay up to date on these topics and to better deploy and maintain applications and resources.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor for containers: support for monitoring the use of GPUs on AKS GPU-enabled node pools

Azure Monitor for containers has introduced the ability to monitor the use of GPUs in Azure Kubernetes Service environments (AKS) with nodes that take advantage of GPUs. They are currently supported as NVIDIA and AMD vendors.
This monitoring functionality can be useful for:

  • Check the availability of GPUs on the nodes, the use of the GPU memory and the status of GPU requests by pods.
  • View the information collected through the built-in workbook available in the workbook gallery.
  • Generate alerts on pod status

Export of alerts and recommendations to other solutions

Azure Security introduces an interesting feature that allows you to send security information generated by your environment to other solutions. This is done through a continuous export mechanism of alerts and recommendations to Azure Event Hubs or to Azure Monitor Log Analytics workspaces. This feature opens up new integration scenarios for Azure Security Center. The functionality is called Continuos Export and is described in detail in this article.

Workflow automation functionality

Azure Security Center includes the ability to have workflows to respond to security incidents. Such processes may include notifications, the initiation of a change management process and the application of specific remediation operations. The recommendation is to automate as many procedures as possible as automation can improve safety by ensuring that the process steps are performed quickly, consistent and according to predefined requirements. The Azure Security Center has been made available the functionality workflow automation. It can be used to automatically trigger the Logic Apps trigger based on security alerts and recommendations. Furthermore, manual trigger execution is available for security alerts and for recommendations that have the quick fix option available.

Integration with Windows Admin Center

It is now possible to include Windows Server systems residing on-premises directly from the Windows Admin Center in Azure Security Center.

Azure Monitor Application Insights: monitors Java applications codeless

The Java Application Monitor is now made possible without making changes to the code, thanks to Azure Monitor Application Insights. In fact, the new Java codeless agent is available in preview. Among the libraries and frameworks supported by the new Java agent we find:

  • gRPC.
  • Netty/Webflux.
  • JMS.
  • Cassandra.
  • MongoDB.

Retiring the solution for Office 365

For the solution “Azure Monitor Office 365 management (Preview)”, which allows you to send the logs of Office 365 to Azure Monitor Log Analytics is expected to be retired on 30 July 2020. This solution has been replaced by the solution of Office 365 present in Azure Sentinel and the solution “Azure AD reporting and monitoring”. The combination of these two solutions is able to offer a better experience in configuration and in its use.

Azure Monitor for Containers: support for Azure Red Hat OpenShift

Azure Monitor for Containers now also supports in preview the monitor for Kubernetes clusters hosted on Azure Red Hat OpenShift version 4.x & OpenShift versione 4.x.

Azure Monitor Logs: limitations on concurrent queries

To ensure a consistent experience for all users in consulting the Azure Monitor Logs, will be gradually implemented new limits of concurrency. This will help protect yourself from sending too many queries simultaneously, which could potentially overload system resources and compromise responsiveness. These limits are designed to intervene and limit only extreme usage scenarios, but they should not be relevant for the typical use of the solution.

Secure

Azure Security Center

Dynamic compliance packages available

The Azure Security Center regulatory compliance dashboard now includes thedynamic compliance packages to trace further industry and regulatory standards. The dynamic compliance packages can be added at subscription or management group level from the Security Center policy page. After entering a standard or benchmark, this is displayed in the regulatory compliance dashboard with all related data. A summary report will also be available for download for all standards that have been integrated.

Identity recommendations included in Azure Security Center tier free

Security recommendations relating to identity and access have been included in the Azure Security Center tier free. This aspect allows to increase the functionality in the cloud security posture management area for free (CSPM). Before this change, these recommendations were only available in the Azure Security Center Standard tier. Here are some examples of recommendations for identity and access:

  • “Multifactor authentication should be enabled on accounts with owner permissions on your subscription.”
  • “A maximum of three owners should be designated for your subscription.”
  • “Deprecated accounts should be removed from your subscription.”

Protect

Azure Backup

Cross Region Restore (CRR) for Azure virtual machines

Thanks to the introduction of this new feature in Azure Backup, it introduces the ability to start restores at will in a secondary region, making them completely controlled by the customer. To do this, the Recovery Service vault that holds the backups must be set to geographic redundancy; in this way the backup data in the primary region are geographically replicated in the secondary region associated with Azure (paired region).

Figure 1 – New possible scenarios from Cross Region Restore (CRR)

Azure Files share snapshot management

Azure Backup introduces the ability to create Snapshots of Azure Files share, Daily, weekly, Monthly, and keep them until 10 years.

Figure 2 – Azure Files share snapshot management

Support for replacing existing disks for VMs with custom images

Azure Backup introduced support, during the recovery phases, to replace existing disks on virtual machines created with custom images.

SAP HANA backup

In Azure Backup, protection of SAP HANA DBs present in virtual machines is available in all major Azure regions. This functionality allows you to have SAP HANA database protection integrated and without having to provide a specific backup infrastructure. This solution is officially certified by SAP.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

Azure IaaS and Azure Stack: announcements and updates (April 2020 – Weeks: 15 and 16)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

SQL Server 2019 IaaS images with Linux distribution support now available

Azure Marketplace pay-as-you-go images for SQL Server 2019 on RHEL 8.0, Ubuntu 18.04, and SLES 12 SP5 are now generally available.

Virtual machine scale sets: automatic image upgrades for custom images

Virtual machine scale sets now provide the ability to automatically deploy new versions of custom images to scale set virtual machines. Enabling automatic OS image upgrades on your scale set helps ease update management by safely and automatically upgrading the OS disk for all virtual machines in the scale set. This capability is now available in preview for custom images through Shared Image Gallery.

Automatic instance repairs for virtual machine scale sets

Virtual machine scale sets now provide the capability to automatically repair unhealthy instances based on application health status. Configure the scale set instances to emit application health by using either the application health extension or Azure Load Balancer health probes. After the automatic repairs policy is enabled, when an instance is found to be unhealthy, the scale set will automatically delete the unhealthy instance and create a new one to replace it.

Azure Migrate is now available in Azure Government

Azure Migrate provides a hub of Microsoft and partner tools to help customers meet their migration needs. Azure Migrate also offers scenarios for database migration, VDI migration, and web application migration, in addition to at-scale migration of VMware, Hyper-V, and physical servers to Azure. All Azure Migrate features, including agentless discovery and assessment, application inventory, and migration, are now available in Azure Government.

Azure File Sync v10 released

The Azure File Sync agent v10 release is being released to servers which are configured to automatically update when a new version becomes available.

Improvements and issues that are fixed:

  • Improved sync progress in the portal
  • Improved cloud tiering portal experience
  • Support for moving the Storage Sync Service and/or storage account to a different Azure Active Directory (AAD) tenant
  • Evaluation tool now identifies files or directories that end with a period
  • Miscellaneous performance and reliability improvements

To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog by following the steps documented in KB4522409.

Networking

Azure Virtual Network supports reverse DNS lookup

Azure Virtual Network now supports reverse DNS lookup (PTR DNS queries) for virtual machine IP addresses by default. Use this to quickly look up name of the VM from its IP address. Previously, using DNS queries to look up the fully qualified domain name (FQDN) for a virtual machine from its IP address would result in an NXDOMAIN response. Now, instead of getting an NXDOMAIN, you’ll receive valid FQDN of the virtual machine to which the IP address belongs.

Azure Monitor: consultation of data through Workbooks

Azure Monitor Log Analytics can collect large amounts of data and it is essential to have effective methods to make it easy to access and analyze it in a simple way. Among the various possibilities offered are the Workbooks, interactive documents that allow you to better interpret the data and do in-depth analysis, also designed for collaboration scenarios. This article lists the key features of the Workbooks and the indications to use them at best.

The Workbooks combine text, Log Analytics query, Azure metrics and parameters, this is an interactive report. Interestingly, they can be accessed and editable by anyone who has access to the same Azure resources. This makes them a powerful collaboration tool between members of a team.

Possible usage scenarios

The Workbooks can be used in different scenarios, for example:

  • Guide tool for troubleshooting and post-mortem incidents. Not only can you highlight the impact of an application or virtual machine outage, but it will also be possible to combine data and provide written explanations. This can become a guide tool to discuss the steps needed to prevent future service outages.
  • Explore the use of a particular application or virtual machine when you don't know the metrics of interest in advance. In fact,, unlike other analysis tools, The Workbooks combine multiple types of visualizations and analysis, making them a great tool for freeform exploration.
  • Show your team the performance of a new application feature or the performance of a new virtual machine, giving visibility of key metrics of interest.
  • Sharing the results of experimentation work on an application with other team members. You have the ability to detail the objectives of text experimentation and to show the Log Analytics metrics and queries used to evaluate the items of interest.

Advantages of Workbooks

Among the main advantages of Workbooks it is possible to quote:

  • Support for metrics, logs and Azure Resource Graph data.
  • Parameter support that enables interactive reports, for example, selecting an item in a table will dynamically update the associated charts and visualizations.
  • Document-like flow.
  • Ability to have Workbooks personal or shared.
  • Experience of simple creation and always with a view to collaboration.
  • Ability to tap into a public template gallery on GitHub that contains several ready-to-use Workbooks.

Workbooks Limits

The Workbooks they also have the following limitations which should be taken into consideration:

  • There are no automatic refresh mechanisms.
  • They are not designed to have a denser layout like dashboards and to have a single centralized control panel. In fact, they are designed to gain insights through an interactive path.

Deploy and use Workbooks

The section Workbooks is accessible from the Azure portal from Azure Monitor Log Analytics that from Application Insights and a gallery is available with a series of Workbooks by default.

Figure 1 – Workbooks Gallery from Azure Portal

In this GitHub repository you can view numerous templates of Workbooks. You can of course contribute by adding new ones or by processing existing ones.

The Workbooks can be composed of different sections that show graphs, Tables, text and input controls, all independently editable.

Figure 2 – Adding section to a Workbook

In order to create Workbooks according to your needs it is useful to know which elements are supported, in this regard, references to the official Microsoft documentation are provided:

Figure 3 - Example of Workbook showing the key metrics of the VMs

Figure 4 - Example of Workbook showing the highest CPU usage of VMs by region

To deploy new Workbooks through ARM templates you can refer to Microsoft's official documentation.

Conclusions

Thanks to the adoption of Workbooks it is possible to consult the data collected using visually appealing reports, with advanced features that allow you to greatly enrich the analysis experience from the Azure portal. Interactivity based on user inputs, personalization and sharing are important elements that make very useful to adopt Workbooks in specific scenarios.

Azure Security Center: exports of alerts and recommendations to other solutions

Azure Security introduces an interesting feature that allows you to send security information generated by your environment to other solutions. This is done through a continuous export mechanism of alerts and recommendations to Azure Event Hubs or to Azure Monitor Log Analytics workspaces. This feature opens up new integration scenarios for Azure Security Center. This article describes how to use this feature and delves into its features.

Azure Security Center (ASC) carries out a continuous assessment of the environment and is able to provide the recommendations concerning the security of the environment. As described in this article you can customize the solution to meet your own security requirements and the recommendations that are generated. In the standard tier, these recommendations may not be limited to the Azure environment alone, but it will also be possible to contemplate hybrid environments and on-premises resources.

Standard Security Center also generates alert when potential security threats are detected on resources in your environment. ASC sets priorities, lists the alerts, provides the information you need to quickly investigate issues and provides recommendations on how to resolve attacks.

Azure Event Hubs is a streaming platform for big data and a service for the ingestion of events. Can receive and process millions of events per second. The data sent to a Event Hub can be transformed and stored using any real-time analytics provider or batch or storage adapters.

The new feature that was introduced in the Azure Security Center is called Continuos Export, supports enterprise scenarios and allows you to do the following:

  • Export to Azure Event Hubs to gain integration with third-party SIEMs and Azure Data Explorer.
  • Export to a Log Analytics workspace to have an integration with Azure Monitor, useful to better analyze data, use Alert rule, Microsoft Power BI and customized dashboards.
  • Export in a CSV file, for individual data exports (one shot).

The configuration is simple and can be carried out using the following procedure.

In Azure Security Center, you select the subscription for which you want to configure data export, and in the settings sidebar you select Continuos Export:

Figure 1 – Continuous export in ASC's subscription settings

In this case you chose to configure the export to a Log Analytics workspace. You can select which recommendations to export and their severity level. Also for security alerts you can choose for which level to export. Export creates an object, therefore, you should specify which resource group to place it in.. Finally, you will need to select the Log Analytics target workspace.

Figure 2 - Configuring parameters to make the Continuous Export

The link for integration with Azure Monitor provides the ability to automatically create Alert rule already pre-configured.

Figure 3 - Automatically create alert rules in Azure Monitor

By default these alert rules do not constitute the Action Group, therefore it is advisable to modify them to do a trigger to suit your needs.

These are the two default alert rules created:

Figure 4 – Default Alert rules of Azure Monitor

Alternatively, having gone into the recommendations and the ASC alerts in a workspace, you can configure in the Azure Monitor Alert rule customized based on Log Analytics query.

The security alerts and the ASC recommendations are stored in tables SecurityAlert and SecurityRecommendations of the workspace. The name of the Log Analytics solution that contains these tables is relative to the ASC tier, which can then be Security and Audit (standard tier) or SecurityCenterFree (tier free).

Figure 4 – Tables in Log Analytics

The configuration of Continuos Export towards Event Hubs is similar and it is the best methodology to incorporate the recommendations and the Azure Security Center alerts with third-party SIEM solutions. Following, shows the connectors for the main third-party SIEM solutions:

In Azure Sentinel is instead available Data connector , it is native to contemplate the Azure Security Center alerts.

To configure exports to Azure Data Explorer you can use the procedure in this Microsoft documentation.

Conclusions

With this new feature introduced in Azure Security Center, you can consolidate all the alerts and recommendations generated by the solution to other tools, opening up new possible integration scenarios even with third-party solutions. All this is made possible through an easily configurable mechanism, allowing you to be notified immediately and quickly take action. These aspects are crucial when dealing with security information.

Azure IaaS and Azure Stack: announcements and updates (April 2020 – Weeks: 13 and 14)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Azure Spot Virtual Machines are now generally available

Spot Virtual Machines provide scalability while reducing costs and they’re ideal for workloads that can be interrupted. Get unique Azure pricing and benefits when running Windows Server workloads on Spot Virtual Machines.

Storage

Direct Upload of Azure Managed Disks

Customers can bring an on-premises VHD to Azure as a managed disk in two ways: copy the VHD into a storage account before converting it into a managed disk, or attach an empty managed disk to a virtual machine and do a copy. Both of these have disadvantages. The first option requires maintaining storage accounts, while the second option has the additional cost of running virtual machines. Direct upload addresses both these issues and provides a simplified workflow by allowing you to copy an on-premises VHD directly into an empty managed disk. You can use it to upload to Standard HDD, Standard SSD, and Premium SSD managed disks of all the supported sizes.

New Azure Disk sizes and bursting support 

Azure Disks, block-level storage volumes managed by Azure and used with Azure Virtual Machines, now have new 4-GiB, 8-GiB, and 16-GiB sizes available on both premium and standard SSDs. The new disk sizes introduced on standard SSD disk provide the most cost-efficient SSD offering in the cloud, providing consistent disk performance at the lowest cost per GB. In addition, Microsoft now supports bursting on Azure premium SSD disks in all Azure regions in the public cloud. With bursting, even the smallest premium SSD disks at 4-GiB can now achieve up to 3,500 IOPS and 170 MiB/second, and better accommodate spiky workloads. It can be best used for OS disks to accelerate virtual machine (VM) boot or data disks to accommodate spiky traffic. To learn more about disk bursting, read the premium SSD bursting article.

Azure Ultra Disks: Shared disk capability in preview

Attach an Azure managed disk to multiple virtual machines (VMs) simultaneously using the new shared disks feature of Azure Managed Disks. Deploy new or migrate existing clustered applications to Azure by attaching a managed disk to multiple VMs. Shared disks also support SCSI persistent reservation protocol.

Server-side encryption with customer-managed keys for Azure Managed Disks in GA 

Azure customers already benefit from server-side encryption with platform-managed keys for Managed Disks enabled by default. Server-side encryption with customer-managed keys improves on platform-managed keys by giving you control of the encryption keys to meet your compliance need. Today, customers can also use Azure Disk Encryption which leverages the BitLocker feature of Windows and the DM-Crypt feature of Linux to encrypt Managed Disks with customer-managed keys within the guest VM. Server-side encryption with customer-managed keys improves on Azure Disk encryption by enabling you to use any OS types and images, including custom images, for your virtual machines by encrypting data in the Storage service.

General availability of incremental snapshots of Managed Disks

Incremental snapshots are a cost-effective, point-in-time backup of managed disks. Unlike current snapshots, which are billed for the full size, incremental snapshots are billed for the delta changes to disks since the last snapshot and are always stored on the most cost-effective storage, Standard HDD storage irrespective of the storage type of the parent disks. For additional reliability, incremental snapshots are stored on Zone Redundant Storage (ZRS) by default in regions that support ZRS. Incremental snapshots provide differential capability, enabling customers and independent solution vendors (ISVs) to build backup and disaster recovery solutions for Managed Disks. It allows you to get the changes between two snapshots of the same disk, thus copying only changed data between two snapshots across regions, reducing time and cost for backup and disaster recovery. Incremental snapshots are accessible instantaneously; you can read the underlying data of incremental snapshots or restore disks from them as soon as they are created. Azure Managed Disk inherit all the compelling capabilities of current snapshots and have a lifetime independent from their parent managed disks and independent of each other.

New additions to the Azure Archive Storage partner network

Azure Archive Storage is now integrated with new partners including IBM Spectrum Protect Plus, NetApp StorageGRID, Rubrik, and Veritas NetBackup, making the partner network even more comprehensive. Other Azure Archive Storage partners include Archive360, CloudBerry Lab, Cohesity, Commvault, HubStor, Igneous, NetApp, and Tiger Technology. 

Networking

IPv6 for Azure Virtual Network is generally available

IPv6 for Azure Virtual Network is now generally available worldwide. IPv6 support within the Azure Virtual Network and to the internet enables you to expand into the growing mobile and IoT markets with Azure-based applications and to address IPv4 depletion in your own corporate networks.

Azure Container Registry support for Private Link now in preview

Azure Container Registry now supports Private Link, a means to limit network traffic of resources within the virtual network.

Azure Edge Zones extends Azure services to the edge

Azure Edge Zones combines the power of Azure, 5G, carriers, and operators around the world to enable new scenarios for developers, customers and partners. These new offerings are coming to preview and will help local telecoms and carrier partners drive new solutions for business and society, including autonomous vehicles, smart cities, virtual reality, and other smart industry use cases. 

Azure Stack

Azure Stack Edge

Azure Stack Edge preview

Microsoft also announced the expansion of Azure Stack Edge preview with the NVIDIA T4 Tensor Core GPU. Azure Stack Edge is a cloud managed appliance that provides processing for fast local analysis and insights to the data. With the addition of an NVIDIA GPU, customers are able to build in the cloud then run at the edge.

Azure Stack Hub

Azure Stack Hub preview

Microsoft, in collaboration with NVIDIA, is announcing that Azure Stack Hub with Azure NC-Series Virtual Machine (VM) support is now in preview. GPU support in Azure Stack Hub unlocks a variety of new solution opportunities. With our Azure Stack Hub hardware partners, customers can choose the appropriate GPU for their workloads to enable Artificial Intelligence, training, inference, and visualization scenarios.

Event Hubs on Azure Stack Hub in preview

We are now announcing the availability of the preview version of Event Hubs on Azure Stack Hub. Event Hubs on Azure Stack Hub will allow you to realize cloud and on-premises scenarios that use streaming and event-based architectures.

Azure management services and System Center: What's New in March 2020

In March there have been several news announced by Microsoft on the Azure management services and System Center. In this summary, that we report on a monthly basis, major announcements are listed, accompanied by the necessary references to be able to conduct further studies on.

Azure Monitor

Azure Security Center integration

In Azure Security Center (ASC) integration with Azure Monitor has been introduced. In fact, in ASC it has been made available the ability to export continues toward a Log Analytics workspace. With this feature, you can configure Azure Monitor alert rules against recommendations and alerts exported from the Security Center. As a result, you can enable action groups to achieve automation scenarios supported by Azure Monitor.

Service availability Azure Monitor for VMs

In Azure monitor, the service that monitors virtual machines has been released, calledAzure Monitor for VMs. This service analyzes the performance data and the status of virtual machines, makes the monitor of the installed processes and examines its dependencies.

The serviceAzure Monitor for VMsis divided into three different perspectives:

  • Health: the logical components present on board of the virtual machines are evaluated according to specific pre-configured criteria, generating alerts when certain conditions are met.
  • Performance: shows summary details of performance, from the guest operating system.
  • Map: generates a map with the interconnections between the various components that reside on different systems.

This solution can be used on Windows and Linux virtual machines, regardless of the environment in which they reside (Azure, on-premises or at other cloud providers).

New agent version for Windows and Linux systems

A new version of the Log Analytics agent has been released this month for Window systemss and for Linux systems. In both cases they are introduced several improvements and increased stability.

SHA-2 signing for the Log Analytics agent

The Log Analytics agent for Windows will start enforcing SHA-2 signings from 18 may 2020. This change requires action if you are running the agent on a legacy version of the operating system (Windows 7, Windows Server 2008 R2, or Windows Server 2008) . Customers who are in this condition should apply the latest updates and patches on these operating systems before 18 may 2020, otherwise their agents will stop sending data to Log Analytics workspaces. The following Azure services will be affected by this change: Azure Monitor, Azure Automation, Azure Update Management, Azure Change Tracking, Azure Security Center, Azure Sentinel, Windows Defender ATP.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 45 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Azure Backup

Azure Backup Report

Azure Backup has announced the release of the solution Azure Backup Report. It's a tool available in the Azure portal that provides reports to answer many questions about backup progress, including: “What backup items consume more storage space?”, “Which machines have consistently had abnormal backup behaviors?”, “What are the main causes of the backup job failure?”. Reports provide cross-sectional information across different types of workloads, Vaults, subscriptions, regions and tenants. This tool also provides support for Windows Server 2008, to facilitate the migration steps of the on-premises systems based on Windows Server 2008 to Azure, process by which you can continue to get security patches.

Azure Automation

Availability in new regions

Azure Automation is now available in preview in the regions ” US Gov Arizona”.

Evaluation of Azure and System Center

To test for free and evaluate the services provided by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Azure IaaS and Azure Stack: announcements and updates (March 2020 – Weeks: 11 and 12)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Virtual Network NAT generally available

Azure Virtual Network NAT (Network Address Translation) simplifies outbound-only Internet connectivity for virtual networks. NAT can be configured for one or more subnets of a virtual network and provides on-demand connectivity for virtual machines.

Private Endpoints for Azure Storage are Generally Available

Private Endpoints provide secure connectivity to Azure Storage from a Azure virtual network (VNet). On-premises networks can also securely connect to a storage account using a private endpoint when that network is to a VNet using Express Route or VPN. Private Endpoints for Azure Storage are now generally available in all Azure public regions.

Azure Web Application Firewall integration with Azure Content Delivery Network service in preview

Azure Web Application Firewall service protects your web applications from malicious attacks. In addition to Azure Application Gateway and Azure Front Door service, Web Application Firewall is now natively integrated with Azure Content Delivery Network, protecting Content Delivery Network endpoints from common exploits such as SQL injection and cross site scripting (XSS) attacks.

Private Link for different Azure services is available

Azure Private Link is now generally available (GA) for the below services:

  • Azure Storage
  • Azure Data Lake Storage Gen 2
  • Azure SQL Database
  • Azure Cosmos DB
  • Azure Synapse Analytics (SQL Data Warehouse)
  • Azure Key Vault
  • Azure Database for MySQL
  • Azure Database for PostgreSQL
  • Azure Database for MariaDB
  • Azure Kubernetes Service -> Kubernetes API

In addition, Private Link is now available in preview for the following services:

  • App Service
  • Azure Cognitive Search
  • Event Hub
  • Service Bus
  • Azure Relay
  • Azure Backup
  • Azure Container Registry
  • Event Grid -> Topics
  • Event Grid -> Domains

App Service regional Virtual Network integration

The regional Virtual Network integration feature has now entered general availability (GA) and supports sending all outbound calls into your virtual network. Use features like network NSGs and UDRs against all outbound traffic from your web app.

Azure Shared Disks for clustered applications in preview

Azure Shared Disks is a shared block storage offering, enabling customers to run latency-sensitive workloads without compromising on well-known deployment patterns for fast failover and high availability. Azure Shared Disks are best suited for clustered databases, parallel file systems, persistent containers, and machine learning applications. Azure Shared Disks provide a consistent experience for applications running on Windows or Linux based clusters today.

ACR built-in audit policies for Azure Policy in preview

Azure Container Registry now supports built-in audit policies for Azure Policy.

Preparing for TLS 1.2 in Microsoft Azure

Microsoft Azure recommends all customers complete migration towards solutions that support transport layer security (TLS) 1.2 and to make sure that TLS 1.2 is used by default.

Azure File Sync agent version 6.x will expire on April 21, 2020

On April 21, 2020, Azure File Sync agent version 6.x will be expired and stop syncing. If you have servers with agent version 6.x, update to a supported agent version (7.x or later).

Azure Storage: Append Blob immutability support is generally available

Store business-critical data objects in a non-erasable and non-modifiable state for a user-specified retention interval using immutable storage for Azure Blob storage. Append blobs allow the addition of new data blocks to the end of an object and are optimized for data append operations required by auditing and logging scenarios.

General availability of NVv4 and HBv2-Series virtual machines

General availability of NVv4 virtual machines in South Central US, East US, and West Europe regions. Additional regions are planned in the coming months. With NVv4, Azure is the first public cloud to offer GPU partitioning built on industry-standard SR-IOV technology. HBv2-series VMs for HPC are now available in the Azure West Europe region.